netfilter: conntrack: reset tcp maxwin on re-register

Doug Smythies says: Sometimes it is desirable to temporarily disable, or clear, the iptables rule set on a computer being controlled via a secure shell session (SSH). While unwise on an internet facing computer, I also do it often on non-internet accessible computers while testing. Recently, this has become problematic, with the SSH session being dropped upon re-load of the rule set. The problem is that when all rules are deleted, conntrack hooks get unregistered. In case the rules are re-added later, its possible that tcp window has moved far enough so that all packets are considered invalid (out of window) until entry expires (which can take forever, default established timeout is 5 days). Fix this by clearing maxwin of existing tcp connections on register. v2: don't touch entries on hook removal. v3: remove obsolete expiry check. Reported-by: Doug Smythies <dsmythies@telus.net> Fixes: 4d3a57f23dec59 ("netfilter: conntrack: do not enable connection tracking unless needed") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: conntrack: reset tcp maxwin on re-register
Doug Smythies says: Sometimes it is desirable to temporarily disable, or clear, the iptables rule set on a computer being controlled via a secure shell session (SSH). While unwise on an internet facing computer, I also do it often on non-internet accessible computers while testing. Recently, this has become problematic, with the SSH session being dropped upon re-load of the rule set. The problem is that when all rules are deleted, conntrack hooks get unregistered. In case the rules are re-added later, its possible that tcp window has moved far enough so that all packets are considered invalid (out of window) until entry expires (which can take forever, default established timeout is 5 days). Fix this by clearing maxwin of existing tcp connections on register. v2: don't touch entries on hook removal. v3: remove obsolete expiry check. Reported-by: Doug Smythies <dsmythies@telus.net> Fixes: 4d3a57f23dec59 ("netfilter: conntrack: do not enable connection tracking unless needed") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent 7acfda539c
Showing 1 changed file with 26 additions and 0 deletions Side-by-side Diff
net/netfilter/nf_conntrack_proto.c
@@ -776,9 +776,26 @@
 };
 #endif
  
+static int nf_ct_tcp_fixup(struct nf_conn *ct, void *_nfproto)
+{
+	u8 nfproto = (unsigned long)_nfproto;
+
+	if (nf_ct_l3num(ct) != nfproto)
+		return 0;
+
+	if (nf_ct_protonum(ct) == IPPROTO_TCP &&
+	    ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) {
+		ct->proto.tcp.seen[0].td_maxwin = 0;
+		ct->proto.tcp.seen[1].td_maxwin = 0;
+	}
+
+	return 0;
+}
+
 static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
 {
 	struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);
+	bool fixup_needed = false;
 	int err = 0;
  
 	mutex_lock(&nf_ct_proto_mutex);
@@ -798,6 +815,8 @@
 					    ARRAY_SIZE(ipv4_conntrack_ops));
 		if (err)
 			cnet->users4 = 0;
+		else
+			fixup_needed = true;
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
 	case NFPROTO_IPV6:
@@ -814,6 +833,8 @@
 					    ARRAY_SIZE(ipv6_conntrack_ops));
 		if (err)
 			cnet->users6 = 0;
+		else
+			fixup_needed = true;
 		break;
 #endif
 	default:
@@ -822,6 +843,11 @@
 	}
  out_unlock:
 	mutex_unlock(&nf_ct_proto_mutex);
+
+	if (fixup_needed)
+		nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup,
+					  (void *)(unsigned long)nfproto, 0, 0);
+
 	return err;
 }
...	...	@@ -776,9 +776,26 @@
776	776	};
777	777	#endif
778	778
	779	+static int nf_ct_tcp_fixup(struct nf_conn ct, void _nfproto)
	780	+{
	781	+ u8 nfproto = (unsigned long)_nfproto;
	782	+
	783	+ if (nf_ct_l3num(ct) != nfproto)
	784	+ return 0;
	785	+
	786	+ if (nf_ct_protonum(ct) == IPPROTO_TCP &&
	787	+ ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) {
	788	+ ct->proto.tcp.seen[0].td_maxwin = 0;
	789	+ ct->proto.tcp.seen[1].td_maxwin = 0;
	790	+ }
	791	+
	792	+ return 0;
	793	+}
	794	+
779	795	static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
780	796	{
781	797	struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);
	798	+ bool fixup_needed = false;
782	799	int err = 0;
783	800
784	801	mutex_lock(&nf_ct_proto_mutex);
...	...	@@ -798,6 +815,8 @@
798	815	ARRAY_SIZE(ipv4_conntrack_ops));
799	816	if (err)
800	817	cnet->users4 = 0;
	818	+ else
	819	+ fixup_needed = true;
801	820	break;
802	821	#if IS_ENABLED(CONFIG_IPV6)
803	822	case NFPROTO_IPV6:
...	...	@@ -814,6 +833,8 @@
814	833	ARRAY_SIZE(ipv6_conntrack_ops));
815	834	if (err)
816	835	cnet->users6 = 0;
	836	+ else
	837	+ fixup_needed = true;
817	838	break;
818	839	#endif
819	840	default:
...	...	@@ -822,6 +843,11 @@
822	843	}
823	844	out_unlock:
824	845	mutex_unlock(&nf_ct_proto_mutex);
	846	+
	847	+ if (fixup_needed)
	848	+ nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup,
	849	+ (void *)(unsigned long)nfproto, 0, 0);
	850	+
825	851	return err;
826	852	}
827	853